New worm use the .ani zero day vulnerability

Some days ago researchers declared an alert for Microsoft Windows Cursor and Icon(.ANI) zero day vulnerability . now they declared an alert for a new worm .
“It’s a bad news that the Windows Animated Cursor Handling zero-day vulnerability has been used by malwares in China now. We have received this kind of new worm today. It has the same behavior as Worm.Win32.Fujacks. It also can infects .HTML .ASPX .HTM .PHP .JSP .ASP and .EXE files, and inserts the malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into .HTML .ASPX .HTM .PHP .JSP .ASP files. It also can send out Chinese spams which are include the same zero-day vulnerability link. “
view analysis on CISRT
http://www.cisrt.org/enblog/read.php?68

malware analysis (Nailuj)

again analysis a malware .”The malware, named Nailuj by some antivirus companies, is composed of 3 files: VideoAti0.exe, VideoAti0.dll and VideoAti0.sys. I won’t talk about all the files, but will focus my attention on only one, the sys file. This malware represents a nice target for those who want to approach a malware for the very first time because it uses well-known techniques, such as hiding files and hooking functions. Nothing hard once you have dealt with them at least once. In addition, the sys file is compiled in debug mode and every operation performed by the malware is documented inside the code. Yes, every time it does something it reveals its success or failure, printing out a comment using DbgPrint function. This is really useful because you know what it will do before starting to analyze the code, not so bad”
(more…)

Analysis of the worm “Tibick.D”

The aim of this article is to give an introduction to the field of malware analysis. The worm dissected later in this article is neither new nor unknown and has been analyzed already. A very simple and primitive worm has been chosen to make this article most understandable especially to those who never reversed a worm before or are (relatively) new to reverse engineering.
This article might be not very interesting for advanced (malware-)reversers.
(more…)

A Closer Look at the Worm_Mimail.A

 ”A CLoser Look ato the Worm_MiMail.A” (written by C.Hornat) is  a good analysis about techniques you see used in many malware . This analysis show how these things work.
“On August 1, 2003, I encountered several emails from my email admin account informing me that my email address will be expiring and that I should read an attachment for further details. Being suspicious, I analyzed that file and the affects of it. This is a short overview of what I have found so far.”

(more…)

Hacking The Malware

This paper attempts to document an approach on how the hackers make use of the vulnerabilities to install malicious software on the vulnerable machine. A comprehensive reverse code engineered analysis of the malicious software (Win32.Qucan.a) and the various protection schemes against the worm by various security products are also discussed.

(more…)

win32 Buffer Overflow

Real Life Vuln-Dev Process of a Win32 Stack Buffer Overflow
Introduction from the paper:
Many times Sergio has been asked for writing a paper about how to code an exploit for win32, for two reasons, first because there are many papers about exploitation on *nix, but few about how to exploit on win32 world, and second because papers about win32 exploitation get very difficult to be understood by people without a good understanding of ASM, C languages. So Sergio thought that the best way to do something clear he had to write something as simple as possible, without leaving nothing to guess by the readers. Well this is what Sergio think is the easiest that he could do. And explaining the hole process of finding, debugging and exploiting a black box application. For this purpose Sergio has chosen ‘War-FTPd v1.65′ a known stack b0f bugged software, which is gonna be used in this tutorial.

(more…)

Zone-h Defaced !!

As you may have noticed, Zone-H got defaced in the night between Dec 21st and Dec 22nd. This was an elaborated attack that was possible (as most of the past Zone-H incidents),  starting with the exploitation of the human factor.

Zone-H has written up a full incident analysis report on this.
I hope everyone has a Happy Holidays!

Writing exploit BoF on Windows

This is a tutorial about writing exploit. We will use Mrinfo.exe Buffer for learning. nice paper for noobs . step by step with pictures . source : coromputer.net (read more …) (more…)

develop MS06-040 Exploit !

in this paper Trirat Kira  explain how to develop exploit MS06-040 that attack against Windows Server 2003 SP0, especially how to break the stack-based buffer overflow protection mechanism in Windows Server 2003 SP0.
read more …

(more…)

analyze XMPlay 3.3.0.4 BOF Exploit

Source : milw0rm’s Froum

Thisone uses a file to exploit a vulnerability, so when your victim opens this
file..the vulnerability gets exploited and calc.exe is executed on the victims system.

Vulnerability Description:

Greg Linares has discovered a vulnerability in XMPlay,
which can be exploited by malicious people to compromise
a user’s system.

The vulnerability is caused due to a boundary error within the
parsing of playlists (.m3u, .pls, and .asx) containing an overly
long file name (greater than 500 bytes). This can be exploited
to cause a stack-based buffer overflow via a specially crafted playlist file.

Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in version 3.3.0.5.
Other versions may also be affected.

Let’s analyze the exploit …
(read more … )
(more…)